Search form

On Wednesday, just one week after a zero day vulnerability was found in Java software and patched with a update, yet another zero day vulnerability has surfaced. This time the exploit is being sold in the cyber criminal world known as the Underweb.
Wikimedia Commons

Thu, 01/17/2013 - 02:08

Gadgets

Second Java Zero-Day Exploit Discovered and Sold In The Underweb for $5,000

It's been less than a week since we heard the news that Oracle's star software, Java, was compromised. Though Oracle reported Monday that an update was available, patching the Java 7 vulnerability discovered last Thursday. New reports have now surfaced that, once again, Java software has been critically compromised. And what's worse -- the latest zero-day exploits discovered are being sold off at $5,000 apiece to two lucky customers in the cyber criminal world known as the underweb.

So how did this mess get started? Well it all began on Thursday as Kafeine, a French security researcher who maintains a website called "Malware Don't Need Coffee," posted an article to his blog stating that the latest version of Java (Java 7, Update 10) had been compromised and that the zero-day vulnerability was being exploited rampantly. The situation was of such grave concern that Thursday, US Homeland Security issued an urgent warning for all PC users to disable Java until an update was made available.

Java Emergency Update Released

Just four days after the attack was reported, Oracle released an emergency update, known as Java 7, update 11 which serves as a temporary fix to the security vulnerability found on Thursday.

Though the update made available on Oracle's Web site did take some measures to fix the dangerous vulnerability in Oracle's Java 7, still, Homeland Security continued to advise users to hold off on the update as the software was far from secure. In fact, Homeland Security advised that, if PC owners had not disabled it previously, they should strongly consider doing so.

"Unless it is absolutely necessary to run Java in web browsers, disable it," the Department of Homeland Security's Computer Emergency Readiness Team said on Monday in a posting on its website.

Enter Zero Day Vulnerability #2

Well, today proved that the advice Homeland security gave to PC users was good indeed, as news hit the stands that despite recent patches to fix the universal software, another zero-day exploit was discovered in the latest Java 7 update 11. This exploit was being sold by a Black Hat hacker. Back Hats are mercenary security researchers who find exploits and sell or use them for nefarious purposes. The hacker in question is reported to have marketed the zero-day vulnerability for the latest version of Java (version 7, update 11) on an exclusive cybercrime forum.

According to security blogger Brian Krebs, who first discovered the listing, the exploit was being made available for two buyers at a not-so-modest price of $5000 each. Both weaponized and source code versions of the vulnerability were being offered by the seller.

Here is what the posting said.

"New Java 0day, selling to 2 people, 5k$ per person. You thought Java had epically failed when the last 0day came out. I lol'd. The best part is even-though java has failed once again and let users get compromised ... guess what? I think you know what I'm going to say ... there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.

Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt ... they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me."

Soon after Krebs discovered it, the posting vanished into thin air. Krebs believes, likely, the vulnerabilities offered had made their way to a pair of buyers.

"To my mind, this should dispel any illusions that people may harbor about the safety and security of having Java installed on an end-user PC without taking careful steps to isolate the program," Krebs wrote.

What's worse is, this time around the zero-day exploit is one no one knows about, therefore making it increasingly more dangerous. As you recall, the last exploit code was identified by security researcher Kafiene in some popular malware kits, but with this one, no one knows where the vulnerability was discovered. No one, that is, but the seller himself.

What Should Be Done About Java? Security Specialists Weigh In

As I read about this latest Java exploit in the news, my mind began to wonder what this meant for the software as a whole. Would it make moves to improve its system or could this be the straw that breaks the camel's back, throwing us more speedily into a web dominated by HTML5 over Java and Flash?

With these questions in mind I decided to hit up a casual acquaintance of mine, Mark Dowd, for some answers. Dowd is a longtime security researcher and founder of Australian security consultancy company, Azimuth Security.

I asked Mark what his general impressions were of Java and its susceptibility to malicious attacks. Here is what he had to say about the matter.

"I have had experience with Java and I have found a number of vulnerabilities in it in the past. My impression of it was that the security was quite poor on multiple fronts ... I don't know what they do now in terms of security, but it isn't nearly enough ... Java has been shredded fairly constantly for the last 5 years or so -- this new thing is unsurprising ..."

I asked him what they should be doing to improve their security.

"My guess is they should be more proactively secure [as] they seem very reactive to me," Dowd replied.

To this, Dowd added more.

"Everyone in security considers Java to be a large security risk [for this reason] Google took the proactive step of disabling it by default a while back."

What Mark had to say seemed to be mirrored in the words of other well-known security experts such as Bogdan Botezatu, a senior e-threat analyst with Bitdefender, a Romanian-based maker of antivirus software.

According to Botezatu, as reported by PC World, the real solution needed is a complete rewrite of Oracle's programming language.

Botezatu estimates rougly 100 million PCs are vulnerable to hacker attack as a result of these recent vunerabilites in Java.

"Oracle needs to take some core components of Java and write them from scratch", the security researcher said in an interview recently. "These products have become so large and have been developed by so many programmers that the makers have most probably lost control over what's in the product."

It is unknown what will take place with Java and security on that front, as indeed, it is not the only software which has subject to malicious attack -- though undoubtedly, it is one of the most prevalent. For now though, if you have still not taken steps to disable Java from your browser, I would encourage you to do so. The task is not difficult, but if you are unsure how to proceed, click here to visit full instructions for disabling.